CyberCrime & Doing Time

Tuesday, February 13, 2018

February 11th marked the 39th aniversary of the Islamic Revolution in Iran, the day when the Shah was overthrown and the government replaced by the Ayatollah Khomeini, called "The Supreme Leader" of Iran. February 10th marked something quite different -- the day when hackers gained administrative control of more than 30 Iranian news websites and used stolen credentials to login to their Content Management Systems (CMS) and share a fake news article -- the death of Ayatollah Khamenei.

The Iranian Ministry of Communications and Information Technology shared the results of their investigation via the Iranian CERT (certcc.ir) which has announced the details of the hack in this PDF report. All of the websites in question, which most famously included ArmanDaily.ir, were hosted on the same platform, a Microsoft IIS webserver running ASP.net.

Most of the thirty hacked websites were insignificant as far as global traffic is concerned. But several are quite popular. We evaluated each site listed by CERTCC.ir by looking up its Alexa ranking. Alexa tracks the popularity of all websites on the Internet. Three of the sites are among the 100,000 most popular websites on the Internet.

NewsSite

Alexa Ranking

SharghDaily.ir

33,153

NoavaranOnline.ir

43,737

GhanoonDaily.ir

79,955

Armandaily.ir

104,175

BankVarzesh.com

146,103

EtemadNewspaper.ir

148,450

BaharDaily.ir

410,358

KaroonDaily.ir

691,550

TafahomNews.com

1,380,579

VareshDaily.ir

1,435,862

NimnegahShiraz.ir

2,395,969

TWeekly.ir

2,993,755

NishKhat.ir

3,134,287

neyrizanfars.ir

3,475,281

Asreneyriz.ir

7,820,850

Ecobition.ir

8,819,111

saraFrazanNews.ir

9,489,254

DavatOnline.ir

9,612,775

These rankings would put the online leadership for the top news sites listed as similar to a mid-sized American newspaper. For example, the Fort Worth Star-Telegram ranks 31,375, while the Springfield, Illinois State Journal-Register is 84,882. (For more examples, the Boston Globe is 4,656, while the New York Times is #111.)

CERTCC.ir's report notes that the primary explanation of the attack is that all of the attacked news sites have "the default user name and password of the backup company" and a "high-level" gmail.com email account with the same username and password had permissions to all sites.

Although the official Islamic Republic News Agency says the source of the attack was "the United Kingdom and the United States", that accusation is not entirely clear after reviewing the report from the CERT. The IP address 93.155.130.14 is listed by the Iranian CERT as being a UK based company using AS47453. Several sources, including Iranian site fa.alalam.ir, point out that this is actually a Bulgarian IP address. AS47453 belongs to "itservice.gb-net" with support details listed in Pleven, Bulgaria.

93.155.130.14 - mislabeled in the original CERTCC.ir report

This error of IP address does seem to have been human error, rather than deception, and the CERT has released an updated version of the Iranian news site hacking report which can be found here, showing the corrected information.

The Corrected version of the report ... (created Feb 12 0408AM)

The CERT report is rather uncomplimentary of the hackers, mentioning that there seem to be several clumsy failed reports to dump a list of userids and passwords from the Content Management System database via SQL Injection attacks, as well as several other automated attacks. In the end, however, the measure of a hacker is in many ways SUCCESS, and it does seem that the objective, shaming the Ayatollah by declaring his death on the eve of the Islamic Revolution holiday, was achieved.

While a source IP address cannot serve exclusively to provide attack attribution, Newsweek reports that on the day the attack began (Thursday, February 8, 2018), that Ayatollah Ali Khamenei gave a speech to commanders of the Iranian Air Force in which he claimed that the United States had created the Islamic State militant group and that the USA is responsible for all the death and destruction ISIS has caused. That could certainly serve as a motive for certain actors, although the holiday itself, called by American politicians "Death to America Day" included as usual occasional American, Israeli, and British flags burning, as well as several instances of Donald Trump efigees being burned, overall the protests seemed more timid than in the past.

Friday, December 22, 2017

IcedID Expanding Target List

Although ransomware has been getting all the headlines in the news, banking trojans continue to be an issue. New variants are constantly evolving and offering new risks. At UAB, we have been looking closely at banking trojans such as Ramnit, TrickBot, IcedID and so on. Recently, Cliff Wilson, malware analyst at UAB malware lab, contributed in establishing that TrickBot is spamming. TrickBot was silent for the past week, so he was asked to take a dive in at IcedID banking trojan.

IcedID Banking Trojan

This analysis focuses on the malware sample with the hash:
3f4d7a171ab57b6c280ad4aed9ebf8f74e5228658cb4a576ada361a7d7ff5df4

This sample is identified by ESET as "Win32/Spy.Icedid.A", although many AV engines, including Ahn, Aegis, and Kaspersky, refer to it as being part of the Andromeda family. As with most malware, most AV engines offer the meaningless identifier "Generic" such as AVG (Win32:Malware-Gen), McAfee (Generic Trojan.i), Symantec (Trojan.Gen.2), TrendMicro (TROJ_GEN.R002C0WL517),

While testing this sample, we noticed the same behavior we have observed before: web injects and phishing pages on financial websites. During further analysis of the IcedID process and its web-injects, Cliff made an interesting observation.

The URL https[:]//financebankpay[.]com/ was found in the web-injects and contains dozens of ‘mock’ web pages and phishing pages to IcedID’s targeted sites. The pages we have observed in the past IcedID sample were present: pages for Discover, Citi, Chase, Amazon, Amex and few others. Several new pages were discovered, which we had not observed before.

FinanceBankPay.com was purchased from Chinese registrar EraNet and hosted on a Russian IP address. The WHOIS information was bogus, borrowing the name of a man from Texas, but saying he lived in the city of "Kileen" with the state "DK", using a throw-away email from "pokemail.net" for his WHOIS email address.

When visiting a targeted URL, the webinject was loaded by the malware by pulling a page from FinanceBankPay.com from one of the following paths, and presenting it as if it were content from the true brand.

A few examples of the new emulated pages with injected code are as follows.

Gmail

https://www.financebankpay[dot]com/gmail/

Fig. 1: Login Page for Google Account

The google web-inject can be reached by trying to login through any Google service (Gmail, Hangouts, Youtube) when infected with IcedID

Outlook

https://www.financebankpay[dot]com/live/

Fig. 2: Login Page for Outlook

US based banks

https://www.financebankpay[dot]com/citiCards/

Fig 3. Stealing credit card details and PIN for a US bank

https://www.financebankpay[dot]com/wellsoffice/

Fig. 4: Business Portal Login for US Based Bank

Additional findings

This sample, along with other recently tested IcedID samples exhibited these similar behaviors.

created the directory \onaodecan in \AppData\Local

created “sonansoct.exe” within this directory

soon after created a .TMP file within \AppData\Local\Temp

opened this file as a process, then closed the main process

this file was updated throughout the testing period

other .TMP files were also created, but not executed (further analysis of these files is needed)

any visited URL could be found in the memory strings of the .TMP process after visiting

Researchers will continue to provide regular and interesting updates about the different types of Banking Trojans floating in the wild. We need a consistent and combined effort from all the financial institutions to deal with such a malaise for the banking sector and end users.

Monday, November 20, 2017

The malware research team in the UAB Computer Forensics Research Lab is widening its horizon and is always on the look out for new malware families. While researching new malware families, Arsh Arora, Ph.D. Candidate at UAB, found some chatter about the new banking trojan IcedId. Although ransomware is the most discussed malware in the press for many financial institutions the most feared malware type is the Banking Trojan. The objective of most banking trojans is to steal banking credentials and eventually steal the money from account holders.

IcedID Banking Trojan

IBM X-Force discovered a new banking trojan IcedID that was first detected in September 2017. It is known as modified version of the Zeus Trojan. The following trojan spreads by Emotet worm which is able to spread from machine to machine inside a network via weak administrator passwords.

One of our malware research team members, Shawn Sharp, decided to dig into this malware. IBM had already provided a detailed explanation of the infection part, so we decided to take a different approach and focused on analyzing the web injects on a number of websites.

Virus Total Detection - 49/67. The sad part is that only 1 of the 49 detection named it IcedID, which commonly happens when marketing departments name malware. (The only company to call it IcedID was ALYac, the anti-virus product from ESTSecurity Corp in Seoul, Korea. ESET, Microsoft, and TrendMicro all call this a sample of Fareit malware.)

When Shawn launched the process, it didn't trigger on its own but a browser had to be launched to activate the banking trojan.

Fig. 1: Activation of Banking Trojan IcedID

Once the trojan was activated, following financial institution strings were found in the memory of the running sample when checked through Process Hacker.

When we visited a few of these websites and provided them fake credentials, the webinject process modifies the user experience by asking the website visitor for extra details. It is noteworthy that these changes to the page happen in browser memory, meaning that the "https:" and "Secure" labels are still present, even though the page has been altered.

Amazon -

Fig. 2: Amazon Web-Inject asking for card number

Although we really are at Amazon.com, the malware is causing our browser to ask us for the details of our credit card!

Chase

Fig. 3: Chase Web-Inject asking for additional details

The malware makes Chase's website appear to ask us for not only our Card Number and Expiration Date, but also our CVV and PIN!

Citi

Fig. 4: Citi Web-Inject asking for additional details

Machines infected with IcedID will also ask for these details after a login attempt at Citi.com!

Discover

Fig. 5: Discover Web-Inject asking for additional details

The Discover.com website asks for card details, but also our Date of Birth and the last four digits of our Social Security Number!

Researchers will be diving in deep and try to reverse engineer the binary for additional information. Stay tuned for more updates. In the meantime, if you hear of a friend complaining that their bank is asking them for too much information -- it may mean that they are infected with malware!